How to implement an incident response plan

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

cyber attacks original

In today’s online world, cyber attacks have simply become unavoidable and organisations must thus adopt new cyber-security postures to be prepared for and successfully respond to incidents right at the first sign of intrusion.

The following six steps are intended to guide organisations in properly managing cyber breaches when they occur:

Step one: Preparation

The more prepared businesses are to act immediately, the better.

    • Perform a proactive “Sensitive-Data Audit”: Know where sensitive data resides and come up with a data protection strategy. These measures can save countless inventory hours that would have to be done in the heat of the moment after a cyber-attack, and should include personally identifying information (PII) such as credit-card data, any intellectual property, classified materials and any data under regulatory or compliance control.
    • Process maintenance: To make sure that response teams are always ready and up-to-date, they should understand sensitive data locations, keep systems patched and up-to-date, conduct ongoing vulnerability testing, and continually test and refine the process with regular “fire drills”.

Step two: Detect and expose

There are two ways to proactively and effectively validate cyber threats: endpoint security analytics and security automation.

    1. Endpoint Security Analytics: Leveraging data from all servers and end-user devices, endpoint security analytics can give complete visibility of endpoint activities across the network, in order to detect anomalous behaviour, risks areas, and security threats before damage can spread.
    2. Security Automation: Integrating network-enabled cyber forensics tools with SIEM systems helps to quickly reveal and validate suspect or mutating software on any endpoint on the network. The cyber forensics tool should be able to work quickly across platforms, as speed is essential to finding and collecting actionable volatile data.

    flame original

    Step three: Triage

    Once a problem has been indentified, the next step would be to scope the threat to understand the extent of the compromise and its ongoing capabilities. The biggest threats should be dealt with first, followed by determining whether any PII /or intellectual property have been compromised.

    Step four: Classify and contain

    The focus during this stage should be on the containment of the threat. Typically a forensics team that can handle malware with reverse-engineering capabilities will be brought in, as the main goal is to determine how to eradicate malware off the network. Many incident response teams create a sandbox to observe the malware and understand what it does and how it behaves, which will help in determining the best way to contain it.
    As part of the analysis, the forensics team will remotely collect malware and relevant data with network-enabled forensic tools, collect and preserve volatile data as potential evidence, capture the crucial malware and artifacts, determine whether it is polymorphic or metamorphic, discover hash values and registry values and recommend remediation steps.

    Step five: Remediate

    Once the malware has been indentified, as well as which and how much sensitive data has been breached, it is time to remediate. The incident response team can begin remediating systems by deleting all malicious or unauthorised code. At this time, they should also conduct a post-attack sensitive-data audit of the affected machines to ensure data resides only where it safely belongs in your network.
    Once the incident has been remediated, continuous monitoring of the network’s activities will be instrumental in determining whether or not the remediation steps taken were sufficient to successfully return systems to their original, optimal state.

    Step six: Report and post-mortem

    Here, the incident response team should consult relevant data breach-notification regulations and policies for each of the industries in which the organisation operates. Legal, IT, PR, and executive teams should have a breach-notification plan in place and be ready to take the appropriate steps when you present your incident report to them.
    The post-mortem report will be vital to all concerned with business reputation, viability, and operations and should be as clear and non-technical as possible. It could include a list of lessons learned from the incident, including what the organisation intended or planned to do, what went wrong, and what can be improved upon.
    It is a sign of the changing security landscape that a security incident will happen. Cyber criminals are ubiquitous and attacks will continue despite our resolute attempts to stop them – even organisations with the most steadfast defence in place are not immune. The emphasis now needs to be on accepting the risks as fact and responding as quickly and effectively as we possibly can and thus mitigate the effects of a hack or breach.

    Topics